Re: [Samba] Seeking Good Documentation for... (freebsd+ldap+samba(pdc)+kerberos)
Hi,
I beleive I have most of the under lying structure set up correctly at
this time. Specific questions would include proper set up of ldap
containers (tree?), authentication users (for adding computers etc), how
to correctly add users and computers, and the tools used to do so. I hit
a wall when I attempted to add a win2k workstation to the domain from
that workstation.
But as mentioned in my original post I will most likely be rebuilding
the Samba(PDC) server as it is currently a Slackware 10 build which
lacks PAM support. Much of what I have read regarding NIS (/etc/passwd)
replacement with LDAP describes using pam_ldap. At this time I have
system(not samba) authentication working via ldap using only nsswitch
but that seems to be restricted to {CRYPT} encrytion of passwords.
I am not yet exactly certain how Kerberos fits into this. I had added
Kerberos support as some of the documentation I read spoke of it as a
prerequisite for LDAP. At this time I am only using it as the rootdn
(gssapi) authentication type for local and remote root access to the
ldap server. But this has given me the opportunity to learn Kerberos as
I have set up ssh auth to all unix server using it now. Fun!
As a note this is my first time working with both Kerberos and OpenLDAP.
Much learning ahead :-)
Thank you for your help,
Chris
Thomas M. Skeren III wrote:
Andrew Bartlett wrote:
I've got it up with two way trusts to a w2k domain everything over a
ipsec vlan:
s: 3.0.10 ports build
FBSD: 5.3
etc. Any specific questions?
On Tue, 2005-03-01 at 15:43 -0800, Chris Lawder wrote:
... Setting up a Samba PDC with the following:
FreeBSD 5.3
Samba 3.0.x
OpenLDAP 2.2.x
Kerberos (Heimdal)
Have you read:
https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap
Also, Howard Chu has a module in current OpenLDAP called smbk5pwd, which
was constructed to allow LDAP to 'set' all the different password types.
(Unfortunately I don't use it yet, despite being the person it was
constructed for...)
Andrew Bartlett
--
Number 41 Media Corporation
Suite 103 - 645 Fort Street
Victoria BC V8W 1G2
T 250.414.0410
F 250.414.0411
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Seeking Good Documentation for... (freebsd+ldap+samba(pdc)+kerberos)
... Setting up a Samba PDC with the following: FreeBSD 5.3 Samba 3.0.x OpenLDAP 2.2.x Kerberos (Heimdal) Would like LDAP to take care of both posixAccount(s) and sambaSamAccount(s). Posix account via nsswitch+pam_ldap. Hope to find one complete documentation that describes this setup from scratch, start to finish. A Ports style install of all packages is fine but I can download, compile and install packages by hand if needed. Problem I am currently having is that I can set up a kerberos server and an ldap server, access both and use ldap for authentication to both the system and samba. I can add users via smbpasswd and use those users (in ldap) to access shares. Where I run into problems is trying to add computers (Windows 2kPro) from the windows systems. Have tried much playing around at this point but am unable to figure out the configuration that allows for this. I have been working from the O'Reilly LDAP book and various differing documentation I have found on the net. The O'Reilly book describes a Samba 2.x style samba.schema but I have moved to a 3.x samba.schema set up now as I attempt to learn this. My current Kerb/LDAP server is FreeBSD 5.3. The Samba PDC is Slackware 10 and it's lack of PAM support is possibly causing some issues but do not know for sure. I want to drop Slackware at this point and make the PDC FreeBSD 5.3 as well. I want to keep the Kerb/LDAP server separate from the PDC. I don't have the resources to separate the Kerberos and LDAP servers at this time. I hope to have documentation that describes setting up the needed ldap containers and how to populate them. I have worked from the samba.org documentation too but found I got stuck at a few points. This documentation shows me ldif examples of how records should look but I didn't get a good idea of how to add these records. I didn't believe that copying those and ldapadd(ing) them would be best due to wrong data in fields such as sambaNTPassword and sambaLMPassword. Maybe I wasn't looking in the right places of the samba.org docs? I hope this well describes what I am hoping to find. Thank you all in advance. Chris -- Number 41 Media Corporation Suite 103 - 645 Fort Street Victoria BC V8W 1G2 T 250.414.0410 F 250.414.0411 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Seeking Good Documentation for... (freebsd+ldap+samba(pdc)+kerberos)
On Tue, 2005-03-01 at 15:43 -0800, Chris Lawder wrote: ... Setting up a Samba PDC with the following: FreeBSD 5.3 Samba 3.0.x OpenLDAP 2.2.x Kerberos (Heimdal) Have you read: https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap Also, Howard Chu has a module in current OpenLDAP called smbk5pwd, which was constructed to allow LDAP to 'set' all the different password types. (Unfortunately I don't use it yet, despite being the person it was constructed for...) Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Seeking Good Documentation for... (freebsd+ldap+samba(pdc)+kerberos)
Andrew Bartlett wrote: I've got it up with two way trusts to a w2k domain everything over a ipsec vlan: s: 3.0.10 ports build FBSD: 5.3 etc. Any specific questions? On Tue, 2005-03-01 at 15:43 -0800, Chris Lawder wrote: ... Setting up a Samba PDC with the following: FreeBSD 5.3 Samba 3.0.x OpenLDAP 2.2.x Kerberos (Heimdal) Have you read: https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap Also, Howard Chu has a module in current OpenLDAP called smbk5pwd, which was constructed to allow LDAP to 'set' all the different password types. (Unfortunately I don't use it yet, despite being the person it was constructed for...) Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Seeking Good Documentation for... (freebsd+ldap+samba(pdc)+kerberos)
On Tue, 2005-03-01 at 17:37 -0800, Thomas M. Skeren III wrote: Andrew Bartlett wrote: I've got it up with two way trusts to a w2k domain everything over a ipsec vlan: The kerberos stuff I refer to is all 'unix' (linking Samba and Heimdal kerberos), I don't run windows servers in production, so I can't help you on that side of things. Who is the kerberos for the benefit of? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Seeking Good Documentation for... (freebsd+ldap+samba(pdc)+kerberos)
Andrew Bartlett wrote: On Tue, 2005-03-01 at 17:37 -0800, Thomas M. Skeren III wrote: Andrew Bartlett wrote: I've got it up with two way trusts to a w2k domain everything over a ipsec vlan: The kerberos stuff I refer to is all 'unix' (linking Samba and Heimdal kerberos), I don't run windows servers in production, so I can't help you on that side of things. Who is the kerberos for the benefit of? Dunno. I kinda hopped into the middle of the conversation. Only thing I can think is that a samba server is authenticating off of w2k/w2k3. It hasn't come up in my trust stuff. Just trying to help a FBSD user. No reason for someone else to have my forehead whelts. ;-) TMS III Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
